Data Security and the Small Business Part 2
Identifying that personal data
Firstly, let’s clarify what data were are trying to protect. The forthcoming EU GPDR legislation is only concerned with personal data so, in terms of your future legal obligations, only the data that you collect about individuals is relevant. It is, however, good business practice to secure all your business data with the same diligence that you will need to apply to personal data.
Now you have to identify the “personal” data. This is anything that can be used to identify a particular person. That puts a whole lot of stuff within scope of the legislation but let’s consider some examples. If you sell anything to customers – and especially your normal everyday consumers – then you will undoubtedly have enough personal information to identify a particular person (a name and address, for example) and thus have in scope personal data.
If you are a business of any size then you will most likely have some sort of customer relationship management (CRM) system – like Customer Manager in Office 365 - will all your business contacts. Is that personal data? It could well be. A name on its own would probably not be enough to identify a particular person as there are thousands of John Smiths but what if someone has a name like Bobcat Chocolatebiscuit? If in doubt, then it is best to treat it all as in scope.
Then identify what this personal data is being used for. The new legislation, like the old legislation, wants you to only collect data for a defined purpose and timescale unlike the government itself who can collect any data for any purpose without telling you. That’s the difference between them and us.
A defined purpose would be something like processing an order. As you might imagine, the new legislation introduces logistical challenges as, once you have processed that order, you might well have to delete that customer data or, at least, provide a selectable option to do so for your customer as you technically have no further need for the information. However, let us assume that you offer a guarantee on what you have sold and the customer contacts you three months later as the product has a fault and demands a refund. You can tell from the order number that the product is within its guarantee period but you have no customer details, as the customer opted to delete their information after purchase, to confirm if you are dealing with the original purchaser. Another avenue for fraud is duly opened.
So you have identified your data and what it is used for. Now you have to find all your data. That might be an easy task if all you have in one computer in your office. These days, that computer is probably a phone and it travels everywhere with you. The personal data is therefore on your phone or in the Cloud (the Cloud is the technical term for “somewhere out there”). Accounts software these days will also store information in the cloud. If you have a website that sells stuff then there will almost certainly be personal data stored in on a backend database server that you have no direct access to and, naturally, a backup of any of this data whether local or in the Cloud will contain the same personal data and will therefore need to be identified and protected. You will probably have guessed that your entire email provision, whether internal or hosted, is also within scope as, somewhere in there, there will undoubtedly be some personal data.
- Identify all the personal data that you might have stored (anything that could be used to identify a particular individual – name + address, name + date of birth, name + Facebook ID etc.)
- Identify the use for the personal data that you have stored (if you don’t know why you are keeping the personal data then it might be time to delete the unneeded personal data so you don’t have to look after it)
- Identify the location of all the personal data (laptops, phones, web servers of in “The Cloud”)
Now that you know where that personal data is, In part 3 it will be time to figure out how to protect it.